Trickster
Last updated
Last updated
This application poses a simple (yet tricky) file upload challenge that is chained to RCE.
The application allows a user to upload a PNG file. It then checks if it is a valid PNG or not. If it is, it accepts the file
memory map:
The application must be uploading this file somewhere
We need to figure out the uploaded directory
We need to figure out a legit bypass
We need to chain the file upload to another vulnerability that can provide access to the flag.
So, I inspected the robots.txt file and saw the disallowed entry "uploads/". Also, instructions.txt
As we can see, the instructions file gives us a hint.
Observations:
When I upload a legit PNG file, I can access it under /uploads/name.png
Upon uploading a non-PNG file I get this error:
I tried the double extension bypass:
The bypass doesn't happen properly even though the file does contain a PNG extension.
Upon inspecting the file type it is an ASCII text. Perhaps this is where we have to utilize the magic bytes phenomenon that instructions.txt told us about. Let's put some magic bytes in this and make it a legit PNG file.
Here, we see that the website is not saying "It's not a valid PNG file" rather it is giving a different error "File name does not contain '.png'"
So, I rename the file to "shell.png.php" so that .png is there in the filename somewhere!
shell.png.php
As I can see, the file we uploaded is being processed here
Let's try our RCE
We can see that RCE works!
Unlike other challenges, I searched a lot but couldn't find flag.txt. I looked at the available binaries (using ls /bin command) and find/locate weren't there
I looked around in the apache directory and found the flag!